Bug 318394

Summary: Changing meeting from another organizer causes reminder e-mail to be sent to all invitees with spoofed sender address
Product: [Applications] korganizer Reporter: Neil <hispeed.bz>
Component: invitationsAssignee: Sergio Martins <smartins>
Status: RESOLVED FIXED    
Severity: major CC: benedikt.mas, sine.nomine, smartins
Priority: NOR    
Version: 4.10.1   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
Latest Commit: http://commits.kde.org/kdepimlibs/5efe6da97ced262603b1b5b50798c5df76cc0f0d Version Fixed In: 4.11.3
Sentry Crash Report:

Description Neil 2013-04-15 15:37:26 UTC 
If an organizer sends me a weekly meeting and I accept it the meeting gets added to my calendar but the recurrence does not.  If I then go into my calendar and set the recurrence, korganizer tries to send an e-mail from the organizer (spoofs the organizer's address in the from field) to all attendees.  Fortunately my ISP blocks messages that are sent from any address but my registered from addresses so the send fails and I can delete the message from my outbox to prevent it from being sent to all invitees.


Reproducible: Always

Steps to Reproduce:
(my email address would be invitee@meeting.com)
1. Receive e-mail meeting invite from organizer@meeting.com for a weekly meeting
2. Click Accept
3. Go into calendar and open meeting
4. Notice recurrence is not set.
5. Edit meeting manually and set recurrence to weekly

Actual Results:  
Korganizer tries to send a meeting update to all attendees and spoofs the from address as organizer@meeting.com (my address is attendee@meeting.com)


Expected Results:  
Expected result: Add meeting with recurrence.

Acceptable result: Add meeting without recurrence, manually add recurrence but do NOT send update from the organizer to all attendees.


I'm tagging this as Major because it's would have been real embarrassing if my update had been successfully sent to all attendees.  Not to mention it's probably illegal to spoof email addresses in some countries ;)
Comment 1 Martin Kyral 2013-10-03 14:12:41 UTC 
I can confirm that with kdepim-4.11.1-1.fc19.x86_64. It happens even when I accept invitation to an event. Upon accepting, two emails are being sent - one confirmation to the organizer (OK) and other senseless "meeting summary" to all participants with the spoofed "From" field.
It happens even after disabling the "Use Groupware communication" feature in the korganizer settings.
This makes korganizer de-facto useless in a corporate environment, as accepting company-wide meeting spams several hundreds / thousands mailboxes with senseless junk - hiding the sender.
Comment 2 benedikt.mas 2013-10-30 10:30:21 UTC 
I can confirm this behaviour for the KDE 4.11 packages on Kubuntu. (Kontact 4.11.2)
Whenever I accept an invitation, two emails are being sent:
- One with me as the sender containing the "Accept" answer
- One with the Organizer as the sender, which is being sent using my credentials (and works as it is the same domain) to all participants, including myself. This 2nd email actually is a new event invitation that shows up in the inbox of everybody

As Martin commented, this renders the groupware communication basically useless  -I can't resend all invitations to all participants!

Benni
Comment 3 Sergio Martins 2013-10-30 18:04:54 UTC 
(In reply to comment #2)
> I can confirm this behaviour for the KDE 4.11 packages on Kubuntu. (Kontact
> 4.11.2)
> Whenever I accept an invitation, two emails are being sent:
> - One with me as the sender containing the "Accept" answer
> - One with the Organizer as the sender, which is being sent using my
> credentials (and works as it is the same domain) to all participants,
> including myself. This 2nd email actually is a new event invitation that
> shows up in the inbox of everybody
> 
> As Martin commented, this renders the groupware communication basically
> useless  -I can't resend all invitations to all participants!
> 
> Benni

That doesn't sound quite like the bug reported here, but another bug.

The fact that another e-mail was sent when accepting is fixed for 4.11.3
Changing events which we don't organizer is however buggy, will try to look at it today so it can go in 4.11.3, but most probably it will go into 4.11.4
Comment 4 Sergio Martins 2013-10-31 01:57:50 UTC 
Git commit 1a8fa1ac755ecd71991116ffffa3362d25126e85 by Sergio Martins.
Committed on 31/10/2013 at 01:36.
Pushed by smartins into branch 'KDE/4.11'.

Don't send CANCEL to attendees  when deleting an event we didn't organize.

When deleting something that's not ours, only a REPLY with
PartStat=Declined must be sent, and to the organizer only.

Due to a bug, CANCEL was being sent to everybody, as if we were
the organizer.

Unit-test will go in master.

Bug 318394 should be similar, but for modification instead of deletion.
Related: bug 217211, bug 306755
FIXED-IN: 4.11.3

M  +12   -7    akonadi/calendar/incidencechanger.cpp

http://commits.kde.org/kdepimlibs/1a8fa1ac755ecd71991116ffffa3362d25126e85
Comment 5 Sergio Martins 2013-10-31 21:53:57 UTC 
Git commit 5efe6da97ced262603b1b5b50798c5df76cc0f0d by Sergio Martins.
Committed on 31/10/2013 at 21:48.
Pushed by smartins into branch 'KDE/4.11'.

Fix bug where we would send an e-mail with a forged From:

This case happened when we were not the organizer and then
modified the event. An e-mail would be sent with From: <organizer>,
with *all* participants in CC.

The correct is to not send anything, because the user was already
warned via message boz that the event will become out of sync with
the organizer's.
Related: bug 289533
FIXED-IN: 4.11.3

M  +4    -3    akonadi/calendar/incidencechanger.cpp
M  +11   -0    akonadi/calendar/tests/itiphandlertest.cpp

http://commits.kde.org/kdepimlibs/5efe6da97ced262603b1b5b50798c5df76cc0f0d